Bug 198293 - dns/bind99: bind UDP dnssec failing
Summary: dns/bind99: bind UDP dnssec failing
Status: Closed Feedback Timeout
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Mathieu Arnold
URL:
Keywords: needs-qa
Depends on:
Blocks:
 
Reported: 2015-03-04 21:48 UTC by brad
Modified: 2016-10-26 22:05 UTC (History)
5 users (show)

See Also:
vlad-fbsd: maintainer-feedback? (mat)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description brad 2015-03-04 21:48:37 UTC
I am trying to configure DNSSEC as a master/slave. Following signing the zone and uploading the DS record to my provider, I am able to see what appears to be the proper output from dnssec-verify

dnssec-verify -o ex-mailer.com ex-mailer.com.external.signed
 Loading zone 'ex-mailer.com' from file 'ex-mailer.com.external.signed'
 Verifying the zone using the following algorithms: RSASHA256.
 Zone fully signed:
 Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
                      ZSKs: 1 active, 0 stand-by, 0 revoked
but 3rd party tools such as http://dnsviz.net/d/ex-mailer.com/dnssec/ and/or http://dnssec-debugger.verisignlabs.com/ex-mailer.com say that my configuration is very incorrect and that UDP is not responding.

netstat -an|grep 53
tcp4       0      0 127.0.0.1.953          *.*                    LISTEN
tcp4       0      0 127.0.0.1.53           *.*                    LISTEN
tcp6       0      0 ::1.53                 *.*                    LISTEN
tcp4       0      0 107.191.60.48.53       *.*                    LISTEN
tcp6       0      0 2001:19f0:7000:8.53    *.*                    LISTEN
udp4       0      0 127.0.0.1.53           *.*
udp6       0      0 ::1.53                 *.*
udp4       0      0 107.191.60.48.53       *.*
udp6       0      0 2001:19f0:7000:8.53    *.*


But, after 10 min or so, UDP on my IPv4 address begins to fail and the port will close. I get these errors following

# tail -f /var/log/named/named.log
04-Mar-2015 18:39:58.288 network: error: creating IPv4 interface vtnet0 failed; interface ignored
04-Mar-2015 18:39:58.288 network: error: creating IPv4 interface vtnet0 failed; interface ignored
04-Mar-2015 18:39:58.288 network: error: could not listen on UDP socket: permission denied
04-Mar-2015 18:39:58.288 network: error: could not listen on UDP socket: permission denied
04-Mar-2015 18:39:58.288 network: error: creating IPv4 interface vtnet0 failed; interface ignored
04-Mar-2015 18:39:58.288 network: error: creating IPv4 interface vtnet0 failed; interface ignored
04-Mar-2015 18:39:58.288 network: error: could not listen on UDP socket: permission denied
04-Mar-2015 18:39:58.288 network: error: could not listen on UDP socket: permission denied
04-Mar-2015 18:39:58.288 network: error: creating IPv4 interface vtnet0 failed; interface ignored
04-Mar-2015 18:39:58.288 network: error: creating IPv4 interface vtnet0 failed; interface ignored
^C
# updatedb
>>> WARNING
>>> Executing updatedb as root.  This WILL reveal all filenames
>>> on your machine to all login users, which is a security risk.
# locate named.pid
/var/run/named/named.pid


Yet dig appears to query just finefollowing start of named:

before restart, following UDP freeze gentoo-mini ~ # dig ex-mailer.com ANY @107.191.60.48

; <<>> DiG 9.9.5 <<>> ex-mailer.com ANY @107.191.60.48
;; global options: +cmd
;; connection timed out; no servers could be reached
after restart of named gentoo-mini ~ # dig ex-mailer.com ANY @107.191.60.48

; <<>> DiG 9.9.5 <<>> ex-mailer.com ANY @107.191.60.48
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 56608
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ex-mailer.com.                 IN      ANY

;; Query time: 199 msec
;; SERVER: 107.191.60.48#53(107.191.60.48)
;; WHEN: Wed Mar 04 06:15:32 EST 2015
;; MSG SIZE  rcvd: 42






master config:
acl "trusted" {
        108.61.190.64;
        107.191.60.48;
        2001:19f0:7000:8945::64;
        2001:19f0:6c00:8141::64;
        108.61.10.10;
        127.0.0.1/32;
        ::1/128;
};

acl "outside" {
        any;
};

options {
        directory "/usr/local/etc/namedb/working/";
        pid-file "/var/run/named/named.pid";
        dnssec-enable yes;
        dnssec-validation auto;
        dnssec-lookaside auto;
        transfer-source  108.61.10.10;
        listen-on-v6 { ::1; 2001:19f0:6c00:8141::64;};
        listen-on { 127.0.0.1; 108.61.190.64;};
        max-cache-ttl 1600;
        version none;
        allow-query {
                any;
                /* trusted; */
        };

        allow-query-cache {
                trusted;
        };

        allow-transfer {
                trusted;
        };

        allow-update {
                trusted;
        };

        //forward first;
        forwarders {
                108.61.10.10;
                108.61.190.64;
                107.191.60.48;
        };
};


logging {
        category default { default_log; };
        category queries { resolver_file; };
        channel default_log {
                file "/var/log/named/named.log" versions 5 size 50M;
                print-time yes;
                print-severity yes;
                print-category yes;
                severity warning;
        };
        channel resolver_file {
                file "/var/log/named/resolver.log" versions 3 size 5m;
                severity dynamic;
                print-time yes;
        };
        channel xfer-in_file {
                file "/var/log/named/xfer-in.log" versions 3 size 5m;
                severity dynamic;
                print-time yes;
        };
        category default { default_log; };
        category general { default_log; };
};

/*
include "/usr/local/etc/namedb/rndc.key";
*/
controls {
        inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys {"rndc-key"; };
};
key "rndc-key" {
        algorithm hmac-md5;
        secret "KcnxhOeXddg8dRNrn9Qfew==";
};


view "external" {
        match-clients { outside; };
        match-destinations { outside; };
        recursion yes;
        allow-query { outside; };
        zone "." IN {
                type hint;
                file "/usr/local/etc/namedb/named.root";
        };
        zone "ex-mailer.com" {
                type master;
                allow-transfer {107.191.60.48;};
                also-notify {107.191.60.48;};
                key-directory "/usr/local/etc/namedb/";
                file "/usr/local/etc/namedb/ex-mailer.com.external.signed";
        };

        zone "190.61.108.in-addr.arpa"{
                type master;
                file "/usr/local/etc/namedb/reverse.external";
        };
        zone "127.in-addr.arpa" {
                type master;
                file "/usr/local/etc/namedb/127.0.0.1";
        };

};





slave config:
acl "trusted" {
        108.61.190.64;
        107.191.60.48;
        2001:19f0:7000:8945::64;
        2001:19f0:6c00:8141::64;
        108.61.10.10;
        127.0.0.1/32;
        ::1/128;
};

acl "outside" {
        any;
};

options {
        directory "/usr/local/etc/namedb/working/";
        pid-file "/var/run/named/named.pid";
        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;
        auth-nxdomain no;
        transfer-source  108.61.10.10;
        listen-on-v6 { ::1; 2001:19f0:7000:8945::64;};
        listen-on { 127.0.0.1; 107.191.60.48;};
        max-cache-ttl 1600;
        version none;
        allow-new-zones yes;
        allow-query {
                any;
                /* trusted; */
        };

        allow-query-cache {
                trusted;
        };

        allow-transfer {
                trusted;
        };

        allow-update {
                trusted;
        };

        //forward first;
        forwarders {
                108.61.10.10;
                108.61.190.64;
                107.191.60.48;
        };
};


logging {
        category default { default_log; };
        category queries { resolver_file; };
        channel default_log {
                file "/var/log/named/named.log" versions 5 size 50M;
                print-time yes;
                print-severity yes;
                print-category yes;
                severity warning;
        };
        channel resolver_file {
                file "/var/log/named/resolver.log" versions 3 size 5m;
                severity dynamic;
                print-time yes;
        };
        channel xfer-in_file {
                file "/var/log/named/xfer-in.log" versions 3 size 5m;
                severity dynamic;
                print-time yes;
        };
        category default { default_log; };
        category general { default_log; };
};


#include "/usr/local/etc/namedb/rndc.key";

controls {
        inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys {"rndc-key"; };
};

key "rndc-key" {
        algorithm hmac-md5;
        secret "N/SB9HZwr5yRIBwtRjcA6A==";
};

view "external" {
        match-clients { outside; };
        match-destinations { outside; };
        recursion yes;
        allow-query { outside; };
        zone "." IN {
                type hint;
                file "/usr/local/etc/namedb/named.root";
        };


        include "/usr/local/etc/namedb/tmp/zonelist.db";

        zone "ex-mailer.com" {
                type slave;
                masters {108.61.190.64;};
                allow-notify{108.61.190.64;};
                allow-transfer {none;};
                key-directory "/usr/local/etc/namedb/";
                file "/usr/local/etc/namedb/ex-mailer.com.external.signed";
        };
        zone "190.61.108.in-addr.arpa"{
                type master;
                file "/usr/local/etc/namedb/reverse.external";
        };
        zone "127.in-addr.arpa" {
                type master;
                file "/usr/local/etc/namedb/127.0.0.1";
        };

};
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2015-03-04 22:53:07 UTC
Take a guess as to which port this PR applies to and attempt to notify maintainer.
Comment 2 brad 2015-03-04 22:59:53 UTC
I have been in contact with #bind and they don't know. It's not a config issue from their perspective.
I get an occasional error from the 3rd party tools indicating a malformed PMTU but all system settings are default and NIC mtu is 1500 which is correct.
#bind thought it was a firewall issue (connection tracking) but there is no firewall installed on the device.
Many fingers are pointing to some system level default misconfiguration.
Comment 3 Jaap Akkerhuis 2015-03-05 12:36:44 UTC
This has nothing to do with dns/opendnssec port. It probably hasn't anything to do with any FreeBSD port.

The question also popped up the bind mailing list.

I suggest closing this due to lack of information.
Comment 4 Jason Unovitch freebsd_committer 2016-04-06 01:32:52 UTC
Fix the munged name reassignment and add the maintainer to CC.  dnssec-verify, the logs, and configs are all part of BIND and it appears to be dns/bind99 based off a best guess from the dig output.

Regarding these...
> # tail -f /var/log/named/named.log
> 04-Mar-2015 18:39:58.288 network: error: creating IPv4 interface vtnet0 failed; interface ignored

You probably want to add this to the named.conf
options {
        interface-interval 0;
}
Comment 5 VK freebsd_triage 2016-10-16 18:57:32 UTC
(In reply to jaap from comment #3)

> I suggest closing this due to lack of information.

Thanks for the feedback. Is this still the case, or is there any new info?
Comment 6 Jaap Akkerhuis 2016-10-25 16:47:09 UTC
(In reply to Vladimir Krstulja from comment #5)
I have no new info about this.

And again, this is not related to dns/opendnssec. One should ask the dns/bind99 maintainer.
Comment 7 Mathieu Arnold freebsd_committer 2016-10-26 22:05:20 UTC
Closing this, this feels like a local setup problem, not something any port could fix.